Content-Security-Policy: default-src *

Question

I started exploring Content Security Policy on a website which uses inline scripts and other crimes. I configured CSP per header field like this:

content-security-policy: default-src *; frame-ancestors 'self'; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net *.stripe.com; report-uri https://sentry.io/api/x/csp-report/?sentry_key=y

My problem now is that the browser complains with the following message:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src *"

I read the documentation for default-src <source> which states that <source> can be one of the following sources:

• <host-source>
• <scheme-source>
• 'self'
• 'unsafe-inline'
• etc.

It seems to me that the asterisk can only be used for host sources. But what else can I do since only one <source> seems to be allowed? default-src * 'unsafe-inline' would not be compliant, right?

My goal basically is to use a minimal CSP configuration which works (and can be embedded via iframe). I am aware that it's best practice to go on with specific rules.

Answer 1

It seems to me that the asterisk can only be used for host sources.

Yes

But what else can I do since only one <source> seems to be allowed?

Multiple <source>s are allowed.

default-src * 'unsafe-inline' would not be compliant, right?

It’s compliant.

You can use https://cspvalidator.org/ to check. Or https://csp-evaluator.withgoogle.com/.

But you really want to avoid specifying 'unsafe-inline' in any CSP policy. Using 'unsafe-inline' pretty much defeats the entire purpose of CSP.

What you want to do instead for any inline scripts causing CSP errors is: take the scripts out of your document and move them into separate files. That’s sort of the whole point.

But if you really must specify 'unsafe-inline', then as far as the dealing with the specific error cited in the question, you should only specify 'unsafe-inline' for script-src — because the error message says, “Refused to execute inline script.”

If you instead specify 'unsafe-inline' for default-src, then that causes the browser to fail to do CSP checks for any inline resources in your document — stylesheets, etc., too, not just scripts.

So if the only problem is an inline script and for some reason you can’t fix that by moving the script out to a separate file, or specifying a hash or nonce for it, then you should at least only specify 'unsafe-inline' for script-src.